Harvard Computer Science Technical Reports for 2015

Information erasure is a formal security requirement that stipulates when sensitive data must be
removed from computer systems. In a system that correctly enforces erasure requirements, an attacker who observes
the system after sensitive data is required to have been erased cannot deduce anything about the data. Practical
obstacles to enforcing information erasure include: (1) correctly determining which data requires erasure; and (2)
reliably deleting potentially large volumes of data, despite untrustworthy storage services.

In this paper, we present a novel formalization of language-based information erasure that supports cryptographic
enforcement of erasure requirements: sensitive data is encrypted before storage, and upon erasure, only a relatively
small set of decryption keys needs to be deleted. This cryptographic technique has been used by a number of systems
that implement data deletion to allow the use of untrustworthy storage services. However, these systems provide
no support to correctly determine which data requires erasure, nor have the formal semantic properties of these
systems been explained or proven to hold. We address these shortcomings. Specifically, we study a programming
language extended with primitives for public-key cryptography, and demonstrate how information-flow control
mechanisms can automatically track data that requires erasure and provably enforce erasure requirements even
when programs employ cryptographic techniques for erasure.

Aslan Askarov, Stephen Chong, and Heiko Mantel 2015. ``Global and Local Monitors to Enforce Noninterference in Concurrent Programs''
Controlling confidential information in concurrent
systems is difficult, due to covert channels resulting from interaction
between threads. This problem is exacerbated if threads
share resources at fine granularity.

In this work, we propose a novel monitoring framework to
enforce strong information security in concurrent programs. Our
monitors are hybrid, combining dynamic and static program
analysis to enforce security in a sound and rather precise fashion.
In our framework, each thread is guarded by its own local
monitor, and there is a single global monitor. We instantiate our
monitoring framework to support rely-guarantee style reasoning
about the use of shared resources, at the granularity of individual
memory locations, and then specialize local monitors further to
enforce flow-sensitive progress-sensitive information-flow control.
Our local monitors exploit rely-guarantee-style reasoning about
shared memory to achieve high precision. Soundness of relyguarantee-
style reasoning is guaranteed by all monitors cooperatively.
The global monitor is invoked only when threads
synchronize, and so does not needlessly restrict concurrency. We
prove that our hybrid monitoring approach enforces a knowledgebased
progress-sensitive noninterference security condition.